Remote access to your desktop

By far the most frequent question I get asked is, "How can I access my desktop remotely?". I usually, quickly, remind whoever is asking that they mean, "How can I access my desktop remotely and securely?"! And there you have the crux of the problem. What is secure? How do you achieve it? How can you set something up that allows secure access without making it so complicated that you never bother using it? Here is my solution. Unfortunately, it is not a "next, next next, finish" type solution, but it is as close as I can make it.

I always break the question up into 2 parts, secure access, and desktop access. Once you have achieved one, the other is easier. The answer to part 1 is SSH. SSH stands for Secure SHell, and gives you exactly that. For those that don't know, a shell is a command line interface without any of the graphical functionality, but with all the power of the system (not quite if you are running windows). By installing and setting up SSH you gain login access to the system.

I was going to write this for Linux and Windows, but have concentrated solely on Windows for the time being as there are differences in the setup and configuration of Linux (not major, just different), and the majority of people who ask me about this are Windows users.

SSH installation instructions for Windows

I first set this up when I was using Windows as my main operating system. When I first set this up, it involved a very convoluted process with cygwin and Linux binaries. As things moved on however, it got easier, and now all you have to do is go to sourceforge and download the latest binaries installer release (version 3.8p1-1 20040709 at time of writing). Once downloaded, run the installer, accept all the defaults, after all the files have copied, you will get a message about editing the passwd file. Click OK to this and then finish. SSH is now installed.

SSH configuration instructions

The next step is to setup a user account that will be used for logging in to the system. I can guarantee that once the system is open to the Internet you will get hundreds (if not thousands) of login attempts every day from automated script routines running against long user lists. By using a user ID that doesn't sit in one of those lists, and only allowing that ID, all of the attempts against your system will be in vain. The trick to picking such an ID is to use a non standard name or word. Try putting your first and last name together (eg stevenixon) or putting a couple of numbers in front of your surname (eg 23nixon) it doesn't really matter what you go for as you won't have to type it in, as long as it isn't guessable. Obviously, the ID should be given a password! That password should be as secure as you can make it. There are a few schools of thought on password strength. Essentially, it comes down to what's easy and yet secure. Putting in a password like 'p455word#' is relatively secure. It's longer than 7 characters, and it uses a mixture of letters numbers and non-alphanumeric characters. A password like 'This is my password.' Is also good. Which ever you use is up to you, whatever you find easier to remember and type. Just remember, you won't be able to see the password as you type it.

You now need to create a passwd file in c:\Program Files\OpenSSH\etc\ with the correct user ID entered into it. To do this, go to a command prompt, change into the c:\Program Files\OpenSSH\bin\ directory and run the following:

mkpasswd -l -u UserID >> ..\etc\passwd

Substitute the user ID you have setup for UserID.

Firewall settings

Most people have a firewall these days. Whether it is a NAT router, or some software on the machine. In all cases, port 22 must be allowed to reach the machine you want to control. For NAT, a rule must be created to forward the port to the correct IP address, for a firewall on the machine, the port must be allowed to talk to the sshd service. For instructions on doing this, please refer to the documentation that came with your router or firewall software.

Gaining access

The vast majority of people who want access to their machines are coming from Windows machines. The easiest and best solution to remote access for what we have setup is a free program called putty. Download the latest version ( 0.58 at time of writing) and unzip the contents to your USB drive into a folder named putty.

From a machine that isn't the machine you want to control, run putty.exe. Ensure that SSH is highlighted for the protocol and then enter the IP address of the machine you want to access (If local then this will be the internal private address on the machine (eg 192.168.1.2). If over the Internet, then this should be the front facing IP address that you get from your ISP). Then, under Data which itself is under Connection, put the User ID into the Auto-Login Username box. Under SSH put a tick in Enable Compression, and click 2 only for the preferred protocol version. Now click connect.

If all goes to plan, you should get a dos like box with a security banner printed on it, and a prompt for your password. After entering your password you should be at a dos prompt, in your home directory. Type 'dir' and you should get a directory listing. Job done! You have securely accessed your computer.

Remote control

As promised, once you have gained access to the computer, getting remote desktop control access is far easier. Download a program called vnc (at time of writing, 4.1 was the most up to date version). Install this onto the PC you want control of. Setup your firewall to deny incoming requests to the vnc service. Finally, put the vnc client software onto your USB stick with putty.

Now, when setting up your connection to the machine using putty, navigate to Connection - SSH - Tunnels, and enter the port number 5900 under source port, and 'localhost:5900' in destination port. Then click add. When you connect and login now you can run the vnc client software from the remote machine and put in 'localhost:5900' as the destination address. When you click connect, you will be remote controlling your home PC.

If all this worked, congratulations! This has taken far longer to write than I hoped, and as such has been done over a few days. I apologise if it is incorrect, if you let me know, I'll update it accordingly.